I run a port scanner on my network and i saw some open ports... I know that exists an overflow vulnerability, but i can't discover this remotely! I know about vulnerability scanners tools, but i want to know how they perform this scans and i want to develop a vulnerability scanner...

I'm not sure I quite understand, is this correct? You're running a server of some sort, which you know has a certain buffer overflow vulnerability. You want to know how easy it is to detect that vulnerability.

An open port does not mean there is a buffer overflow, and I do not know where you got that idea.

All an open port means is that there is a service listening for traffic on that port. That's all.

Vulnerability scanners use known collections of vulnerable software versions and exploits to determine if a given service/program is vulnerable. If it is a match, it might even go so far as to test some exploit against it for a confirmation, though this can cause an unintentional DoS so it is usually something you have to tell it do do specifically.

Scanners don't just magically know that software is vulnerable or employ some super crazy advanced AI to auto-hack everything within a 50-mile radius. It's just a really fast way of checking for a needle in a haystack.

Adrasteia, yes, you are correct, but i want to know how to discover the vulnerability remotely...

Goatboy, i know that port scanner can't do all the hardwork, and about the overflow, i create a server in another machine and i set the overflow there!If i understand you, for discover a vulnerability remotely, i have to test all possible exploits for that known vulnerability service?

Da_Costa wrote:If i understand you, for discover a vulnerability remotely, i have to test all possible exploits for that known vulnerability service?

Not if you can find out which version is running: sometimes you can because it's advertised by the service, sometimes because of a certain feature only available in a new version, etc. Otherwise, detection can be based on trying a certain combination/input that will return an error for vulnerable applications (like adding a quote to a URL to check for SQL injection). And lastly, yes, of course you can go in guns blazing and hope one of the attacks hit. Be careful of not getting locked out because of firewalls, intrusion detection systems or by performing a unforeseen DoS when doing that in real life though.